Josh Corman on Why the Security Community Doesn’t Control the Story

Corman qualified his judgment call by quoting fellow security blogger Bruce Schneier who said, “We are getting better, but we’re getting worse faster.” Corman admits he had a really tough time last year with the endless stream of differentiated attacks from more adversaries than he’s ever seen before.

While it helps that there’s mainstream acceptance and recognition of the problem, “as a community we’re not really well prepared to rise up to tell them what to do about it. Others are controlling the narrative,” said Corman. “It’s time to level up. We’re past due.”

Sales and marketing has leveled up

Trying not to be too pessimistic, Corman points out that often a vendor’s self-interest is not the security of your enterprise. That’s why he said, “Vendors don’t need to be ahead of the threat. They just need to be ahead of the buyer.”

We’ve unfortunately fooled ourselves into believing that putting these tools in place is in itself security. That unfortunately is not making us any more secure.

“Our belief in the efficacy is diametrically the opposite to the actual reality of the efficacy of these controls,” said Corman

When I asked Corman if the security industry was looking to some unified body to lobby on their behalf, he just laughed as the industry often mocks that type of organization. Unfortunately, he realizes that individual complaining isn’t working. Something has to change.

“How do we professionalize and focus on our common good instead of going at it alone. It’s time to level up. I don’t know what it looks like, but I know the status quo is not working,” warned Corman.